LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   BIND 9 Permission denied when chmod is 777 o_O (http://www.linuxquestions.org/questions/linux-networking-3/bind-9-permission-denied-when-chmod-is-777-o_o-358688/)

KasperLotus 08-30-2005 10:15 PM

BIND 9 Permission denied when chmod is 777 o_O
 
Hi,
I've been fiddling with this for 2 days now and I still can't get it to work. I have all the directories up to my pid file chmoded to 755 (and I've tried it with all of them 777) and they are all owned by named and I know BIND is running as named but it still says "cannot open file ".../named.pid" : Permission denied".

Now here's the really weird part, when I run "named -u named -t /var/named/chroot -g" everything works fine, but when I run "service named start" it fails and it says Permission denied. o_O weird huh? Any ideas?

Thanks,
Brandon

aznluvsmc 08-30-2005 11:58 PM

Is your named process chrooted? If so, you may not following the correct path to the named.pid file. What distro are you using?

KasperLotus 08-31-2005 12:04 AM

My bind is chrooted and the path I have to the named.pid file is (absolute path) /var/named/chroot/var/run/named.pid I've tried many other paths and they all give the same error. I'm running Fedora Core 4.

EDIT: Another problem I just rememberd, whenever I run it in the foreground, it should still technically be running. If I make changes to the domains I am DNSing then it should update them when I restart right? I originally configured the domains with the wrong IPs so now that I've fixed it and I run it in the foreground, shouldn't a "host" command retrieve the updates instead?

EDIT2: Experimenting with dig, I discovered that my nameserver finally updated and nslookup and host said the same, but now it says that the connection was refused when I try to go to www.unnaturalfusion.com. My firewall and router are setup correctly, any ideas?

scowles 08-31-2005 04:40 AM

Are you talking about the dig query was refused? i.e. status REFUSED
Code:

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46206
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

If thats the case, then I'd be willing to bet you have accidentally configured bind to refuse queries outside its authoritative zones (I can't tell from your post).

A couple of things to check:

1) Is recursion on?
2) What is the setting for "allow-query" either globally or within the zone statements?

KasperLotus 08-31-2005 10:51 AM

How do I set and check recursion? And the dig connection wasn't refused, a firefox connection was refused.

Darvocet 08-31-2005 09:48 PM

Quote:

Originally posted by KasperLotus
How do I set and check recursion? And the dig connection wasn't refused, a firefox connection was refused.
Usually recursion is on by default, however you can double check it by setting the

recursion on;

in the named.conf. Recursion needs to be on for local dns or for the machine to cache answers in my experience.

aznluvsmc 09-04-2005 10:27 PM

If you were refused trying to access a website then it's most likely an setting on the web server. Double check the settings if it's your own server or contact the admin of that server to find out about the issue.

Fredstar 09-05-2005 12:54 AM

One answer chcon

for your name server.

the problem is that although named starts off as root it is still denied when it tryes to write the pid file. this is because it does not, by default, have the correct setup for the directory (this problem is that same with apache and other system run processes)

fixing this

cd /var/run/
ls -Z

should return

## I have the chmod high because i was stumped by the permisson denied, this will change

Code:

drwxrwxr-x  named    named    system_u:object_r:named_var_run_t named
However, the important part is system_u (the user) and named_var_run_t (the type) if this is not what you see the following should fix this.

Code:

chcon -u system_u -t named_var_run_t /var/run/named/
next restart bind with user named

Code:

named -u named
To make sure all went well its always good to check /var/log/messages incase something went wrong with start up or zonefiles.

for apache (2) -

basically the same thing only difference is the -t (type)

//this must be set for all directory's you wish to have apache webserver access
Code:

chcon -Rt httpd_sys_content_t /your/DocumentRoot/
just to check and make sure everything works ok

Code:

chcon -Z
should return

Code:

drwxr-xr-x  your_user    its_group system_u:object_r:httpd_sys_content_t YOUR-DOCUMENT-ROOT
Note that if the user is not system_u then you should change it , and all sub-direcotrys with
Code:

chcon -Ru system_u /your/DocumentRoot


hope this helps!!

edited to disable smiles

KasperLotus 09-05-2005 07:40 PM

After the chcon command on several directories which were problematic, I ran "service named start" and got this error in the log file. It failed to start.

audit(1125967391.931:21): avc: denied { write } for pid=2967 comm="named" name=named dev=hda1 ino=613281 scontext=root:system_r:named_t tcontext=system_u:object_r:named_zone_t tclass=dir

Apparently, root is still the user, but when I run ls -Z it appears that system_u is the user....o_O

edited to disable smilies

Fredstar 09-06-2005 09:16 PM

Odd..

Did you make sure to set the type correctly?

Cause that was the big problem mine had when it wasn't running.

KasperLotus 09-07-2005 12:20 AM

Yeah, I made sure of that. I actually got it working by turning off the SELinux protection for the name server daemon and voila, it ran without an error. Thanks for all your help though.

Cheers.


All times are GMT -5. The time now is 03:23 AM.